Translating PAT From Public IP to Inside Address

Answered Question
Feb 2nd, 2012
User Badges:
  • Silver, 250 points or more

Is it possible with the Cisco ASA to translate an outside address to an internal address during PAT? So i want to do is to dynamic outside address translation after the PAT. So if a user on the outside connects to us thru a PAT rule, his outside is translated to an inside address.

Correct Answer by Julio Carvajal about 5 years 6 months ago

Hello Tshi,


That new ACL that I provided you is not applied to the outside interface so not worry for that.


Regards,


Julio

Correct Answer by Julio Carvajal about 5 years 6 months ago

Hello Tshi,


You will need:


access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078


nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x


Regards,


Do rate helpful posts



Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Julio Carvajal Thu, 02/02/2012 - 10:52
User Badges:
  • Purple, 4500 points or more

Hello,


So 192.168.12.0/24inside ----ASA------outside2.2.2.0/24


You want that if a outside users go into your network gets patted to 192.168.12.x right??


If that is what you are looking for, yes that is possible on the ASA!!


Regards,


Julio

Tshi M Thu, 02/02/2012 - 11:26
User Badges:
  • Silver, 250 points or more

Yes, exactly. I have some PAT commands configured. How do I go by doing that?


static (inside,outside) tcp VIP 3078 172.16.1.68 ssh netmask 255.255.255.255

static (inside,outside) tcp VIP 7500 172.16.1.4 1433 netmask 255.255.255.255


i want when a user establishes a connection to VIP or either port, the public IP address get translated to 172.16.1.x

Correct Answer
Julio Carvajal Thu, 02/02/2012 - 11:58
User Badges:
  • Purple, 4500 points or more

Hello Tshi,


You will need:


access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078


nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x


Regards,


Do rate helpful posts



Julio

Tshi M Thu, 02/02/2012 - 12:18
User Badges:
  • Silver, 250 points or more

Julio,


Thanks indeed..I will try this shortly. Does it matter if I already have an access-list applied to the outside interface...Or can I just use it  with nat 10?


access-list FROM_INTERNET extended permit tcp any host VIP eq 3078

access-list FROM_INTERNET extended permit tcp any host VIP eq 7500

access-group FROM_INTERNET in interface outside

Correct Answer
Julio Carvajal Thu, 02/02/2012 - 12:44
User Badges:
  • Purple, 4500 points or more

Hello Tshi,


That new ACL that I provided you is not applied to the outside interface so not worry for that.


Regards,


Julio

Tshi M Thu, 02/02/2012 - 19:51
User Badges:
  • Silver, 250 points or more

Julio,


Thanks indeed...this was extremely helpful.

Actions

This Discussion